Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 04:21

General

  • Target

    14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe

  • Size

    645KB

  • MD5

    14aa8760fa3e3d00d2b0e18b6491dc4f

  • SHA1

    3d02f92123ce0aed6788e7a8c5fd32489ef94f2b

  • SHA256

    580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb

  • SHA512

    f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854

  • SSDEEP

    12288:Tzo75/bUOEXYKZYsw5Eq65otrGaUtzAyFVpzM4TjVlZP+/lA/DL0+5kG:I75IbYAY/5EqIotKHtkyFg2VTkADA+5F

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\14aa8760fa3e3d00d2b0e18b6491dc4f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\windows\SysWOW64\magiclink.exe
      "C:\windows\system32\magiclink.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4040
      • C:\windows\SysWOW64\magiclink.exe
        "C:\windows\system32\magiclink.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5604
        • C:\windows\SysWOW64\magiclink.exe
          "C:\windows\system32\magiclink.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5768
          • C:\windows\SysWOW64\magiclink.exe
            "C:\windows\system32\magiclink.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:5568
            • C:\windows\SysWOW64\magiclink.exe
              "C:\windows\system32\magiclink.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4544
              • C:\windows\SysWOW64\magiclink.exe
                "C:\windows\system32\magiclink.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:5536
                • C:\windows\SysWOW64\magiclink.exe
                  "C:\windows\system32\magiclink.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:5076
                  • C:\windows\SysWOW64\magiclink.exe
                    "C:\windows\system32\magiclink.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:1092
                    • C:\windows\SysWOW64\magiclink.exe
                      "C:\windows\system32\magiclink.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:1580
                      • C:\windows\SysWOW64\magiclink.exe
                        "C:\windows\system32\magiclink.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:556
                        • C:\windows\SysWOW64\magiclink.exe
                          "C:\windows\system32\magiclink.exe"
                          12⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:3332
                          • C:\windows\SysWOW64\magiclink.exe
                            "C:\windows\system32\magiclink.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of WriteProcessMemory
                            PID:3748
                            • C:\windows\SysWOW64\magiclink.exe
                              "C:\windows\system32\magiclink.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:2692
                              • C:\windows\SysWOW64\magiclink.exe
                                "C:\windows\system32\magiclink.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:2884
                                • C:\windows\SysWOW64\magiclink.exe
                                  "C:\windows\system32\magiclink.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:440
                                  • C:\windows\SysWOW64\magiclink.exe
                                    "C:\windows\system32\magiclink.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:1104
                                    • C:\windows\SysWOW64\magiclink.exe
                                      "C:\windows\system32\magiclink.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3232
                                      • C:\windows\SysWOW64\magiclink.exe
                                        "C:\windows\system32\magiclink.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:4304
                                        • C:\windows\SysWOW64\magiclink.exe
                                          "C:\windows\system32\magiclink.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:3400
                                          • C:\windows\SysWOW64\magiclink.exe
                                            "C:\windows\system32\magiclink.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:3556
                                            • C:\windows\SysWOW64\magiclink.exe
                                              "C:\windows\system32\magiclink.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of WriteProcessMemory
                                              PID:5392
                                              • C:\windows\SysWOW64\magiclink.exe
                                                "C:\windows\system32\magiclink.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:5628
                                                • C:\windows\SysWOW64\magiclink.exe
                                                  "C:\windows\system32\magiclink.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  PID:5760
                                                  • C:\windows\SysWOW64\magiclink.exe
                                                    "C:\windows\system32\magiclink.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:4408
                                                    • C:\windows\SysWOW64\magiclink.exe
                                                      "C:\windows\system32\magiclink.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      PID:464
                                                      • C:\windows\SysWOW64\magiclink.exe
                                                        "C:\windows\system32\magiclink.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        PID:5936
                                                        • C:\windows\SysWOW64\magiclink.exe
                                                          "C:\windows\system32\magiclink.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:4812
                                                          • C:\windows\SysWOW64\magiclink.exe
                                                            "C:\windows\system32\magiclink.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:4508
                                                            • C:\windows\SysWOW64\magiclink.exe
                                                              "C:\windows\system32\magiclink.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:432
                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                "C:\windows\system32\magiclink.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:4560
                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                  "C:\windows\system32\magiclink.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  PID:340
                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                    "C:\windows\system32\magiclink.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    PID:2208
                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                      "C:\windows\system32\magiclink.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:5020
                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                        "C:\windows\system32\magiclink.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        PID:4124
                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                          "C:\windows\system32\magiclink.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:2308
                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                            "C:\windows\system32\magiclink.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            PID:3920
                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                              "C:\windows\system32\magiclink.exe"
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:4412
                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                "C:\windows\system32\magiclink.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                PID:4672
                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  PID:6052
                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                    41⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:2480
                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:4196
                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        PID:844
                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          PID:5308
                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                            45⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            PID:3208
                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:3400
                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                PID:4768
                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:3204
                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:5604
                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:5408
                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                        51⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2412
                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:5916
                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:464
                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              PID:3216
                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                55⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:3284
                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:3160
                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                    57⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:1380
                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:2440
                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                        59⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:6068
                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:4352
                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:3624
                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:4496
                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                63⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:5128
                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  PID:2720
                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:4952
                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      PID:3188
                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                        67⤵
                                                                                                                                          PID:5360
                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                            68⤵
                                                                                                                                            • Drops file in System32 directory
                                                                                                                                            PID:5560
                                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                                              69⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              PID:1588
                                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                                70⤵
                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                PID:1104
                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                  71⤵
                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                  PID:6004
                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                    72⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                    PID:3128
                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                      73⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      PID:2952
                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                        74⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        PID:2556
                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                          75⤵
                                                                                                                                                          • Checks computer location settings
                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                          PID:3556
                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                            76⤵
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                            PID:6088
                                                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                                                              77⤵
                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                              PID:6100
                                                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                                                78⤵
                                                                                                                                                                  PID:2548
                                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                                    79⤵
                                                                                                                                                                      PID:3812
                                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                                        80⤵
                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                        PID:5488
                                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                                          81⤵
                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                          PID:5972
                                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                                            82⤵
                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                            PID:4812
                                                                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                                                                              83⤵
                                                                                                                                                                                PID:3888
                                                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                  84⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  PID:6124
                                                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                    85⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    PID:5812
                                                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                      86⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      PID:2168
                                                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                        87⤵
                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                        PID:3792
                                                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                          88⤵
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          PID:340
                                                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                            89⤵
                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                            PID:5008
                                                                                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                              90⤵
                                                                                                                                                                                                PID:3324
                                                                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                  91⤵
                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                  PID:2776
                                                                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                    92⤵
                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                    PID:5896
                                                                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                      93⤵
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      PID:3392
                                                                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                        94⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        PID:2588
                                                                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                          PID:3952
                                                                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                              PID:6136
                                                                                                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                97⤵
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                PID:1616
                                                                                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                  98⤵
                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  PID:440
                                                                                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                    99⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    PID:968
                                                                                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                      100⤵
                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                      PID:3968
                                                                                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                        101⤵
                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                        PID:6092
                                                                                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                          102⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          PID:3948
                                                                                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                            103⤵
                                                                                                                                                                                                                              PID:4904
                                                                                                                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                104⤵
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                PID:4148
                                                                                                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                  105⤵
                                                                                                                                                                                                                                    PID:1168
                                                                                                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                                        PID:3556
                                                                                                                                                                                                                                        • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                          "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                          107⤵
                                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                                          PID:6088
                                                                                                                                                                                                                                          • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                            "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                            108⤵
                                                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                            PID:5408
                                                                                                                                                                                                                                            • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                              "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                              109⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              PID:2956
                                                                                                                                                                                                                                              • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                                "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                                110⤵
                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                PID:6112
                                                                                                                                                                                                                                                • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                                  "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                                  111⤵
                                                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  PID:2532
                                                                                                                                                                                                                                                  • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                                    "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                                    112⤵
                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                    PID:5544
                                                                                                                                                                                                                                                    • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                                      "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                                      113⤵
                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                      PID:4652
                                                                                                                                                                                                                                                      • C:\windows\SysWOW64\magiclink.exe
                                                                                                                                                                                                                                                        "C:\windows\system32\magiclink.exe"
                                                                                                                                                                                                                                                        114⤵
                                                                                                                                                                                                                                                          PID:5496
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
                        1⤵
                          PID:768

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\firstrunm.txt

                          Filesize

                          255B

                          MD5

                          997b2a8efaa6b95f9d88c9af9bceaf8e

                          SHA1

                          bd4806ee779602171154c7d679b26af5b9bc3405

                          SHA256

                          3dc1a86a4172dbee0a1ace3a6a7fa733a368ddf1c9ec28dc410366a6b015faa2

                          SHA512

                          e1ca4e27f95b4d382a4cf13e33ef91bcdf7cea8029ee3b11e6f68b8c2d757e0cee1c982ab2badff0b03865b8d56fa624115420bf41d6b5df92790718adf9d9f7

                        • C:\Users\Admin\AppData\Local\Temp\tdllcope.vxd

                          Filesize

                          1000B

                          MD5

                          545a67d28de528c88e42c41b05693963

                          SHA1

                          83bba65a5bc8bbf58ef33a0507a328b6b74bba88

                          SHA256

                          a82df735cc734795b819657b152d756c0fbef394338997eacb7398d8024b5853

                          SHA512

                          0632600814005c11e2e8cdf17668040ba291d61f8702853b05357744fba74ff12e826661f6028932305a80fdffb79a9a41b55e9d9f3a9ab026530d7acd1e3a7e

                        • C:\Windows\SysWOW64\magiclink.exe

                          Filesize

                          645KB

                          MD5

                          14aa8760fa3e3d00d2b0e18b6491dc4f

                          SHA1

                          3d02f92123ce0aed6788e7a8c5fd32489ef94f2b

                          SHA256

                          580cdee9a1dcaa2c53c97cb0685058e81db7dd7b234c5f5818d8d44cec7548fb

                          SHA512

                          f14ec0ee64559e410ad43ca1d490df5f8da8a19527727996be81f461ab32d513437e62a2d4e2926f05e21653bde492ba66bc9af79d6295ec132d6eeebf71d854

                        • C:\Windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          641c989202ef4416e0ed0aebb95ae049

                          SHA1

                          036fece8123492b27074e0c4109f3b351474c0cd

                          SHA256

                          22337c145100557586348e61b5f5bb928f2826617dcdb1df1872c3f65385855d

                          SHA512

                          c931ba5c46eed8e009570015b5e5be5cf5e4046626472699010373b89fdfff46ac42132ebece79edd774812cd795dc358418a94eacb2d43b9e6060258022450c

                        • \??\c:\windows\SysWOW64\magiclink .exe

                          Filesize

                          405KB

                          MD5

                          3240e086a353fc80470b8f810da9ae91

                          SHA1

                          45277d99d9b78634a13607e1d395f94972d3550c

                          SHA256

                          9a7e85faf7130a0722b133992ed324239abdfdb1fb2a2cbf6bcfae03e75fb193

                          SHA512

                          43d46874c6272424299949cb3215c0ceb78ab912ebecb4dd9d2f847a0297caf57bcb693b07ef7c4c69d98e16b21c153a76a1a52f8b04c1c6db4708a5f2e4f668

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          b52c5813deb102d626f3226385bdcba9

                          SHA1

                          81d564737cc6f265e07a95d21a1f91f98b058269

                          SHA256

                          9c6dd67c94de0eb01997d3227d58342367afe7fea8a5edfe444a4049d14ff08b

                          SHA512

                          0bd1d8af4cc65a1e2941f0ac33802a09b231109c9685444f763b01e7a63ce211d189df3e1384bea2f665fc2d8e388c4625dd61099393b8017b91e37b57c9b8ae

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          284e432abdead511364e04b9429896ad

                          SHA1

                          de6071a90a2a5dac576e565df008c9dce35e2785

                          SHA256

                          63d57908e11e10407c8f71b87a89306cba9b33f64c563996b1e1b45c4466956a

                          SHA512

                          f157f79017ec64b69cccacb617a288c939d006e6a9820ae1834826ab26880b2175fc8c2c473ccff2dc9b6f537f96a38f7033539cfa23555db5390d1d71187d35

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          a33e4143af856e7a94ba496d1c4a096d

                          SHA1

                          373af3f18613d866fc846d08d216754aff402b5b

                          SHA256

                          8d4c47523610b1e64c908e9781f4a1d9bb356b8d6589c9093e477a3b689417bc

                          SHA512

                          f5f13c44cb0c7e2ccb7350096f7e5022ec0314acc76c2ad0efdd0290acee834377547ba93d41fd4b04d81067739d65f875e0d69dcaf88eb9f181dee5474dad01

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          49c8687d8ba8b2d832abe9d3439e239b

                          SHA1

                          3a3649488e09d18be7d54bae95e799a345881686

                          SHA256

                          1bc3df90840dc1ef2576a6aaef445f5b9254c8242881a0364c0d6c6800ab6ae8

                          SHA512

                          ce676120876c9b3a913eb2267537c0be57dbd312b534cff11b79b924fa2288028e35f6dcd94f3af0b850c55150a15192e8d9301dfba14aba47ff1a73a44409d9

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          47b86ecdf493e9e38b40fc51dfabe640

                          SHA1

                          bf8ea8c03c42d8d8f9e6ec033dc317083bf890ed

                          SHA256

                          31b6253e5354125245557855df72cd2c17a4f851120b26d30da24bb983a3af40

                          SHA512

                          91e1cfcc005e1323a48f228d1d5af6f99176fddf4e50f3da5b33374828bb23ed0180193ca08137c23373eb02d6b3956141c0f6a26d71d74d83d0de767f8cf118

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          01cd11568352fa4d3aabe0a1b252bf97

                          SHA1

                          51958dc562eee3d748e9d158fd55000261fe1a13

                          SHA256

                          941b77cc6857d1522c3af78c6389af06d6ffe6e054687c119d5b03407e6a3272

                          SHA512

                          feba7c1e72341f7362befb5e7480ee0b2e22b7a3ecb2d0f1d365d9fae45ec6f1dbb535510c7803bc1f2dfa90138dba21dab8d1545ac93e2a28251b6c7a490c9e

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          f479945b54eebcc067aa7ee4247445d7

                          SHA1

                          c96b3acd7f77a27bfe7a89359b8f6f5f3a3476b2

                          SHA256

                          55e82b8e87e6e09e69b0d09a0f5ceafdada88a1eb331e9dc3f4e315edd8c1b36

                          SHA512

                          21298efbafddf6ab4bfccdad3bd95e998aae7ba96cffc7dec58c1a250bdbcb0b37009d6cda225be1dcc5f9335eaca63f0b042db4d59d084108891571332d6aec

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          27d2d139a9a26dc55a008f1e4c502726

                          SHA1

                          15b7486b1b0fa549b40ff1698a5cff2fbbf10ac2

                          SHA256

                          ee16881d75f9d723404e9a19a175d71bc9dbdbe9a98f22b39f98066f0e0bb7de

                          SHA512

                          3ae02dabe2235098fb77f765f11c4eacf849d3011e27984a60160d6feff771cabd35135bcd49665e854d20f8237b9cafef1eb80018c88ab0267e795d635633a3

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          d3ee2768034c6ea119f0cf9a1a3e1553

                          SHA1

                          b3028fe3cf203787fb5b87be495c48054a367d82

                          SHA256

                          30e765fda05a0f250e5a01b0cf0adcc69bc0ffcb4cb967cfed1c4798935eb4b1

                          SHA512

                          3a7757b7ac3fce9b590be4472185f742d3e09a80945fd0c69ef609b5d61b031654210aeec3f7f0c48ef581bf9667260876820b44620b7a58af60b5b081512c43

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          bdb503d7505f35eeec34c944632cbc15

                          SHA1

                          ba75cb31629863e6d100675577ff10b4a3edb7d9

                          SHA256

                          0985e560a3b41a7559a075b6d15f936fe6a30328e5bbcacd8b5717e1a90bfa2f

                          SHA512

                          ade91431a2d0cd0c262fa7579df7713696ab00adc60cf239af3085066b9a65c781b6f2ff3713790798c9314f44c6e3484998d8e31aa379f2161f8527900f4929

                        • \??\c:\windows\SysWOW64\systemdllx.vxd

                          Filesize

                          20B

                          MD5

                          3f21e066a4c7eea6d1dff1d8beafb4ea

                          SHA1

                          075443556068e6b846c4e4613961f0121e402437

                          SHA256

                          5f8f247e7d36b55d650ede0fe83fb04393ee6d36d40f26125388921eda0ca929

                          SHA512

                          609a762e1fd705615b7312f08ab445758a016c739c71db22e6d34d0a94ecb48b7979d392b19234ad798998c035b1fbd92c4649b39d5aeddd8fbe346981cea3e0

                        • memory/340-312-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/432-287-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/432-294-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/440-193-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/464-447-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/464-264-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/556-142-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/844-383-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/1092-118-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/1104-200-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/1380-471-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/1580-117-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/1580-137-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2208-315-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2308-330-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2308-336-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2412-435-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2440-477-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2480-369-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2480-363-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2620-16-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2620-1-0x00000000025C0000-0x00000000025C1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2620-26-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2620-0-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2692-166-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2692-179-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2884-178-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/2884-186-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3160-465-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3204-417-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3208-396-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3216-453-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3232-207-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3284-459-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3332-154-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3400-397-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3400-221-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3400-404-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3400-213-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3556-229-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3556-222-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3624-495-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3748-155-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3748-175-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/3920-343-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4040-18-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

                          Filesize

                          4KB

                        • memory/4040-17-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4040-32-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4124-329-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4196-376-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4304-214-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4352-489-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4408-257-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4412-350-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4496-501-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4508-286-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4544-69-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4544-81-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4560-301-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4672-356-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4768-411-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/4812-279-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5020-322-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5020-316-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5076-105-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5128-507-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5308-389-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5392-230-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5392-237-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5408-429-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5536-93-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5568-68-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5604-31-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5604-40-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5604-423-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5604-45-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5628-238-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5628-244-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5760-250-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5768-57-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5916-441-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5936-265-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/5936-276-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/6052-362-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB

                        • memory/6068-483-0x0000000000400000-0x000000000061E000-memory.dmp

                          Filesize

                          2.1MB